Role Explosion: Acknowledging the Problem

In large enterprises subject to constant employee turnover and challenging security policies, the administration of Role-based Access Control (RBAC) is a daunting task that is often highly centralized in a small team of security administrators. The aim of this work is to determine why existing models for Administrative Role-based Access Control (ARBAC) have failed to achieve success and thus motivate the requirement for a new model named One+ RBAC Administration (ARBAC1+). In order to meet this objective, the term role explosion is symptomized and supported with case studies that identify misconceptions found in previous ARBAC models. Then ARBAC1+ is proposed within the context of the Government of Canada, however, its use is not limited to this organization.

[1]  Axel Kern,et al.  Advanced features for enterprise-wide role-based access control , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[2]  Jorge Lobo,et al.  Usability meets access control: challenges and research opportunities , 2009, SACMAT '09.

[3]  Drummond Reed,et al.  OpenID 2.0: a platform for user-centric identity management , 2006, DIM '06.

[4]  Aaron Elliott,et al.  One Employee and Several Applications: An Information Management Case Study , 2009, Software Engineering Research and Practice.

[5]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[6]  Ravi S. Sandhu,et al.  The ARBAC99 model for administration of roles , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[7]  Ravi S. Sandhu,et al.  A model for role administration using organization structure , 2002, SACMAT '02.

[8]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[9]  American National Standard for Information Technology – Role Based Access Control , 2004 .